Adding ETW logging support to a driver

windows_driver · February 1, 2015, 2:35am

Hi i am trying to add ETW logging mechanism into my driver.I have created a manisfest file for my events and compiled .man file using MC.exe .

corressponding header and resource files are genrated. Till now things are fine .

this is how the generated header file looks like .

/********************************************************************** //\* This is an include file generated by Message Compiler. \*
//* * //\* Copyright (c) Microsoft Corporation. All Rights Reserved. \*
//**********************************************************************`
#pragma once
//+
// Provider SysavdEtwProvider Event Count 3
//+
EXTERN_C __declspec(selectany) const GUID Sysavd_ETW_PROVIDER = {0x5912b888, 0xd029, 0x4527, {0xbc, 0x58, 0x8b, 0xda, 0x4d, 0x13, 0xe6, 0xff}};

//
// Channel
//
#define Sysavd_DEBUG 0x10

//
// Opcodes
//
#define OP_Sysavd_FUNCTION_ENTRY 0xa
#define OP_Sysavd_FUNCTION_EXIT 0xb
#define OP_Sysavd_API_RETURN 0xc

//
// Tasks
//
#define TASK_Sysavd_FUNCTION_TRACING 0x1
#define TASK_Sysavd_API_RETURN 0x2
//
// Keyword
//
#define KEYWORD_Sysavd_FUNCTION_ENTRY 0x1
#define KEYWORD_Sysavd_FUNCTION_EXIT 0x2
#define KEYWORD_Sysavd_API_RETURN 0x4

//
// Event Descriptors
//
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR Sysavd_FUNCTION_ENTRY = {0x1, 0x0, 0x10, 0x4, 0xa, 0x1, 0x8000000000000002};
#define Sysavd_FUNCTION_ENTRY_value 0x1
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR Sysavd_FUNCTION_EXIT = {0x2, 0x0, 0x10, 0x4, 0xb, 0x1, 0x8000000000000001};
#define Sysavd_FUNCTION_EXIT_value 0x2
EXTERN_C __declspec(selectany) const EVENT_DESCRIPTOR Sysavd_API_RETURN = {0x3, 0x0, 0x10, 0x4, 0xc, 0x2, 0x8000000000000004};
#define Sysavd_API_RETURN_value 0x3
#define MSG_SysavdEtwProvider_Keyword_KEYWORD_Sysavd_FUNCTION_ENTRY_message 0x10000001L
#define MSG_SysavdEtwProvider_Keyword_KEYWORD_Sysavd_FUNCTION_EXIT_message 0x10000002L
#define MSG_SysavdEtwProvider_Keyword_KEYWORD_Sysavd_API_RETURN_message 0x10000003L
#define MSG_SysavdEtwProvider_opcode_OP_Sysavd_FUNCTION_ENTRY_message 0x3000000AL
#define MSG_SysavdEtwProvider_opcode_OP_Sysavd_FUNCTION_EXIT_message 0x3000000BL
#define MSG_SysavdEtwProvider_opcode_OP_Sysavd_API_RETURN_message 0x3000000CL
#define MSG_level_Informational 0x50000004L
#define MSG_SysavdEtwProvider_task_TASK_Sysavd_FUNCTION_TRACING_message 0x70000001L
#define MSG_SysavdEtwProvider_task_TASK_Sysavd_API_RETURN_message 0x70000002L
#define MSG_SysavdEtwProvider_channel_Sysavd_DEBUG_message 0x90000001L
#define MSG_SysavdEtwProvider_event_1_message 0xB0000001L
#define MSG_SysavdEtwProvider_event_2_message 0xB0000002L
#define MSG_SysavdEtwProvider_event_3_message 0xB0000003L

but this header file doesnt contain macro to register my provider . Do i need to write the EventRegister functions in this file ,

if i try to do that using API " EventRegister(&sysavdEtwProvider, NULL, NULL, &RegistrationHandle) " it is throwing error .

I am stuck at this point please help .

Jan_Bottorff · February 1, 2015, 3:38am

On 2/1/15, 7:36 AM, “xxxxx@hotmail.com” wrote:

>if i try to do that using API " EventRegister(&sysavdEtwProvider, NULL,
>NULL, &RegistrationHandle) " it is throwing error .

What error is is returning. You are calling the kernel mode ETW function
EtwRegister, not the user mode EventRegister? At PASSIVE_LEVEL?

Jan

windows_driver · February 1, 2015, 5:22am

i am following the steps mention in this link
https://msdn.microsoft.com/en-us/library/windows/hardware/ff541236(v=vs.85).aspx

which says

Add the macros that register and unregister the driver as an event provider. For example, in the header file for the Eventdrv sample (evntdrvEvents.h), the message compiler creates macros based upon the name of the provider. In the manifest, the Eventdrv sample uses the name “Sample Driver” as the name of the provider. The message compiler combines the name of the provider with the event macro to register the provider, in this case, EventRegisterSample_Driver.
C++

// This is the generated header file envtdrvEvents.h
//
// …
//
//
// Register with ETW Vista +
//
#ifndef EventRegisterSample_Driver
#define EventRegisterSample_Driver() McGenEventRegister(&DriverControlGuid, McGenControlCallbackV2, &DriverControlGuid_Context, &Sample_DriverHandle)
#endif

i am not clear wether these macros will be genrated by MC.exe or i have to write them mannually?